I have recently purchased a domain and am trying to set it up with my Disroot email account. Although I am a regular contributor, I have not yet sent the domain linking form (reasons explained below). If you can spare the time for a newbie in DNS settings, I would be very grateful for your help on two issues. I have searched this forum and found no answer.

1. SPF record

The first and least one is about the DNS settings given in Disroot’s domain linking form. From what I understand, a SPF record is actually a TXT record beginning with v=spf1; at least I hope so, because I can enter records of type TXT but not SPF (this option is simply not available). Then, why are there two different SPF records in the domain linking form (points 3 and 4)? It seems, to the newbie I am, that the second (point 4) contradicts the first one (point 3).

2. Aliases and email forwarding

The second and most important question is about identities (email aliases) and email forwarding. The five possible email aliases offered in the domain linking form would be enough for my identites (family, work, web, etc.). However ‘infinite aliases’ such as ebay@mydomai.ne or myname+klm@mydomain.ne would be awesome.

I discovered that my domaine name registrar (Njalla) offered an ‘email forwarding’ feature, with that sweet ‘catch all’ option. Thinking this was the same thing as the aliases offered by Disroot, I thought I would use Njalla’s feature instead. My tests revealed that I could receive emails at the addresses forwarded by Njalla, but not send emails ‘from’ them; I guess that means these are not real ‘aliases’.

Ideally, I would like to use Disroot’s aliases for my few identities, and define other forwarding addresses (especially a ‘catch all’) at Njalla’s end. My problem is that, to enable email forwarding, Njalla sets (and lock) two DNS records:- MX (Priority 10) to mail (without possibility to add another MX record) and- A, Name mail, to some IP address.This prevents me from having Disroot's ‘real’ aliases at the same time as Njalla ‘catch all’ forwarding. Is that a technical incompatibility? If not, can I make it work somehow? Should I contact Njalla’s staff? If so, asking what?

Thank you, dear reader, for any help you can give me on these two questions.

the sender policy framework tells who is allowed to send emails on behalf of your domain.it is an spf record but the record spf is legacy. Today you do set up the record as txt record. If you have both options you set both up exactly the same.

spf = spf settings saved as txt record and spf record as fallback for (very) old mail servers.

v=spf1 mx a ptr include:disroot.org ~allmx = all mx records of the domain;a = ipv4/v6 of the domain;ptr = reverse dns of the domain (slow, do not use it if you do not need it);include = allow disroot.org;~all = softfail

I did not set it up as wanted for my domain but I have an other usecase.

the mail server of the sender may try to get the email to you in that order. It will only use the next entry if the entry before fails.

If you want to use the catchall option with your provider it needs to be first.You would receive every email with your provider.Disroot as second option wont ever be used but when the first option fails.

If you want to use disroot as primary you need to set up disroot`s mx as primary. You would lose the catchall because of the following:

sender tries a good email of you. sender mail server delievers it to disroot because disroot tells the sender that the email address is good to go.

But sender tries a bad email of you, sender mail server does not deliever it to disroot because disroot tells the sender that the email address does not exist.

The sender should at this point receive an error. You do not know if the senders email server would try your second mx entry in this case because even when we have here a "failure" we need to differentiate

failure (counts towards trying an other mx entry) = I could not deliever the msg because I could not connect to the recipient mail server

failure (does not count towards trying an other mx entry) = I could connect to the mail server but it told me that the recipient does not exist

Lots of thanks to you, @idnovic! Thanks for the extensive explanations, for the advice, and for the proposed solution.

Although it took me a while, I studied carefully all the information you gave.

idnovic:

sounds like your provider does not allow you to edit mx records?If that is the case you need an other dns. Please clarify.

I can edit MX records, as long as I don’t enable email forwarding (disabled by default). It’s a simple switch in the web interface. If I enable email forwarding, two DNS records are automatically set:- MX (Priority 10) to mail (without possibility to add another MX record) and- A, Name mail, to some IP address.Additionally, no other MX record can then be set. If I disable email forwarding, I am free to edit anything and everything again.

Thanks also for your advice and warning on catch-all. I agree with you on both counts. What I actually want is the ability to create account-specific forwarding addresses, such as account+*@mydomai.ne. You could say that the catch-all is just the lazy way to do it. I’ll consider creating manually account+somewebsite@mydomai.ne, instead.

As a conclusion, if I understand correctly your solution, I can set:- MX: whatever my domain provider needs/wants to be able to forward email (and I setup forwarding to my Disroot address);- SPF: v=spf1 mx a ptr include:disroot.org ~all;and that will be enough for me to send emails as myalias1@disroot.org, myalias2@disroot.org, etc.I’ll try that.

Only one thing remain unclear to me. According to Disroot’s recommended DNS settings, I have to setup two TXT (SPF) records:1. v=spf1 mx a ptr include:disroot.org ~all2. v=spf1 mx ~allI don’t understand what purpose does record 2 serve, since record 1 already includes ~all. Should I add it too?

I was also thinking you mean @yourowndomain and not @disroot - the following below only counts for @yourowndomain.You can not set up anything related to @disroot because you do not own that domain.

yes SPF: v=spf1 mx a ptr include:disroot.org ~all; will be enough if you only have 1 email providerI recommend an "spf generator" for newbies. something along the line of:v=spf1 mx a include:disroot.org ~allcreated by hXXps://www.spfwizard.net

disroot recommendation is to set the first spf record like the current technological stand point as txt record.the second record for spf is only for old mail server who may choose to use it because they do not understand spf as txt record. It is legacy but I have it set up.I have set up 2 x spf records. 1 as txt and 1 as spf. Remember spf record is legacy. You do the setup as txt today.

On that point I am also unsure. It is possible that the old legacy spf record does not understand every setting you may include in the "new" spf as txt record.From my perspective you could choose to not set up the legacy spf record.

Trial and error. I can tell you it works for me and I use this: (I have a backup email provider)txt (new standard): v=spf1 mx a:disroot.org include:zoho.eu -allspf (legacy): v=spf1 mx a:disroot.org include:zoho.eu -alland I just changed it totxt and spf: v=spf1 mx include:disroot.org include:zoho.eu -all

as you may see it was not the recommendation from disroot.Here you can read upon the difference hXXps://stackoverflow.com/questions/15240470/what-is-the-difference-between-a-spf-include-and-a

the ~all or -all at the ending tells the recipient how the treat misbehaving emails. It does not mean "everything is allowed"

it does not work the way we talked about till now but the following does work:

username+tag@disroot.org and name+tag@owndomain.com

soo it works as suffix but does not as prefix. I was only thinking about prefix. Muppeth confirmed the suffix method and I did tryit out with my own domain.Conclusion is that you may move your emails to disroot completely and forget the mx of your current provider after allI updated the answers I gave lastly to conform with the new information.